Environment

• SuperTokens Core: latest Docker image (registry.supertokens.io/supertokens/supertokens-postgresql)
• Self-hosted, Postgres backend

Steps to reproduce

# 1. Core starts with a fresh DB (no licence key saved)

# 2. Call the endpoint with a malformed body
PUT /ee/license
Headers:
  Content-Type: application/json
  api-key: CORE_API_KEY
Body:
{
  "licenceKey": "ABC..."   // <-- British spelling, or even {}
}

# 3. Response
HTTP 200
{ "status": "OK" }

# 4. Check feature flags
GET /ee/featureflag
→ { "features": [] }

Expected behaviour

The endpoint should reject the request (4xx or a JSON error such as FIELD_MISSING / INVALID_INPUT) when the required licenseKey property is absent or mis-spelled.

Actual behaviour

The handler ignores unknown / missing properties, falls back to the (empty) stored key, and returns "OK", causing silent misconfiguration.

Impact

Startup scripts think the licence has been activated, but Enterprise features actually stay disabled until someone manually calls the endpoint with the correct payload.

Please tighten validation so the call fails explicitly whenever licenseKey is missing or mis-spelled.
Thanks!